In the first article in this series, I laid out some questions which you need to ask when selecting a smart device to put onto your network. The second tackled operating systems and their updating, the third how the device communicates, both within its local network and with the Internet, and the fourth covered server and app security.

Additional issues

There are several miscellaneous issues which I would like to cover before running through some systems which are available.

The Rapid7 report on baby monitors considered remote shell access, which would enable an intruder who had gained access to your network to use that to take control of the device. That is clearly not acceptable in any networked product, although it relies on another vulnerability to give the intruder access to the device on your network.

One good way for that to happen, of course, is if the device uses unencrypted network communications, and the network can be detected and broken unto wirelessly. This illustrates how multiple apparently minor vulnerabilities can be exploited to accomplish intrusion.

Backdoor accounts with easily guessed, or even published, credentials and physical (‘UART’) access are similar in their implication, although a physical exploit through a ‘service’ hardware means such as ‘UART’ would require an intruder to gain physical access to the device.

Of the new vulnerabilities which Rapid7 identified in the baby monitors which it assessed, one of ten was of remote authentication bypass, and five provided backdoor credentials, four of which could be accessed over the local network.

Smart universes

Several major players have now entered the smart device market, offering complete networked systems which work best with their smart devices, and those of supporting vendors.

Apple, and Nest (owned by Google/Alphabet) are among the first to ship products which support networks of smart devices, and Nest remains one of the most popular vendors of such devices.

Nest, as I have already shown, has clearly been taking security issues seriously, and provides a lot of information to support prospective purchasers negotiate the difficult task of choosing a smart device. Its three flagship products – the Learning Thermostat, Protect, and its camera – run Linux, and Nests’s website details versions and provides additional supporting information. Locally, it uses established and proven WiFi connections, and can also use Bluetooth LE (particularly to connect low-power devices).

Further security research is required still, but Nest’s products look to be acceptably secure.

Apple’s HomeKit uses an AppleTV, running its own version of iOS, as the hub, with local connections made by WiFi and Bluetooth LE. According to press reports, its insistence on meeting good security standards has slowed the provision of third-party smart devices.

Being part of the vast iCloud universe, HomeKit is vulnerable to theft of credentials, which accounted for recent alleged intrusions. Apple’s products are now the subject of extensive security research, and although jailbroken iOS systems have shown worrying vulnerabilities, security updates for iOS generally, and Apple TV, are getting much better.

The moral is that you should never attempt to jailbreak any iOS device unless you wish to cast security to the wind; provided that you keep HomeKit systems up to date, they should prove acceptably secure.

Today, 10 September 2015, marks the launch of Samsung’s rival SmartThings universe. Although details are scant, Samsung has published extensive if preliminary developer documentation. Samsung’s hub is known as the SmartThings Hub, and is expected to run Android, an open-source Linux derivative, with device apps running in a sandbox, similar to that in iOS.

Local networking with other smart devices is by ZigBee and Z-Wave, which both include good security features. Apps are written in a language named Groovy, which does not have an establised track record yet, and amazingly local connections with smart devices do not have to be encrypted: the developer information contains the followed worrying text:
“Commands to and from security-sensitive devices can be sent encrypted by wrapping them in SecurityMessageEncapsulation commands.”

If Samsung wishes to meet acceptable security standards, it is going to have to enforce encryption throughout. Time and testing of devices will tell whether they prove vulnerable.

Another vendor which has announced its own universe is Hoover, with Hoover Wizard. Documentation enabling its security assessment is currently lacking.

Going it alone

Other smart devices, such as the baby monitors assessed by Rapid7, appear to be treading their own path. Over the coming months and years no doubt we will see further reports of their vulnerabilities and shortcomings. The effort, and scope for error, involved in going it alone, outside Nest, HomeKit, SmartThings, and possibly Hoover Wizard, makes it most unwise to put such smart devices on your network.

Chances are that they will have multiple vulnerabilities, and if they don’t, then ascertaining that they are secure is a difficult process in the absence of general standard.